[tex-live] omfonts one-byte heap overflow

Tom Kacvinsky tom.kacvinsky at suse.com
Thu Sep 27 00:20:27 CEST 2018 

I'll poke at this in my free time.  Would be interesting to see if it also happens
on openSUSE/SUSE distributions (though 32-bit development support was dropped from
SLES 12).

> On Sep 26, 2018, at 16:52:06, Johannes Hielscher <jhielscher at posteo.de> wrote:
> 
> So finally, someone else has run into (presumably) the same problem as
> me, as I reported in the tlbuild list on 2018-04-08:
> https://tug.org/pipermail/tlbuild/2018q2/004207.html
> 
> Back then, I didn't find a solution there, so I cannot give some clever
> advice here )-:
> 
> (Even worse, my tests did succeed when called explicitly from the shell,
> instead of by the test suite.)
> 
> Am Fri, 21 Sep 2018 14:42:37 -0400
> schrieb Tom Callaway <tcallawa at redhat.com>:
> 
>> I noticed that the omegafonts test suite from tl2018 was failing in
>> Fedora rawhide, despite no code changes since the last build.
>> 
>> ============================================================================
>> Testsuite summary for Web2C 2018
>> ============================================================================
>> # TOTAL: 16
>> # PASS:  15
>> # SKIP:  0
>> # XFAIL: 0
>> # FAIL:  1
>> # XPASS: 0
>> # ERROR: 0
>> ============================================================================
>> See omegafonts/test-suite.log
>> Please report to tex-k at tug.org
>> ============================================================================
>> 
>> This only seemed to happen on i686 and armv7hl builds. I reproduced it
>> locally in an i686 chroot. The test-suite.log says:
>> 
>> FAIL: check
>> ===========
>> 
>> #! /bin/sh -vx
>> # $Id: check.test 45809 2017-11-15 00:36:56Z karl $
>> # Copyright 2017 Karl Berry <tex-live at tug.org>
>> # Copyright 2014, 2015 Peter Breitenlohner <tex-live at tug.org>
>> # You may freely use, modify and/or distribute this file.
>> 
>> test -d tests || mkdir -p tests
>> + test -d tests
>> 
>> TEXMFCNF=$srcdir/../../kpathsea
>> + TEXMFCNF=../../../../texk/web2c/omegafonts/../../kpathsea
>> OFMFONTS=".;./tests"
>> + OFMFONTS='.;./tests'
>> export TEXMFCNF OFMFONTS
>> + export TEXMFCNF OFMFONTS
>> 
>> echo && echo "*** ofm2opl check xcheck"
>> + echo
>> 
>> + echo '*** ofm2opl check xcheck'
>> *** ofm2opl check xcheck
>> ./omfonts -ofm2opl $srcdir/tests/check tests/xcheck || exit 1
>> + ./omfonts -ofm2opl ../../../../texk/web2c/omegafonts/tests/check
>> tests/xcheck
>> Bad OFM file: Ligature/kern step 2 skips too far;
>> I made it stop.
>> Bad OFM file: Kern index too large.
>> malloc(): invalid next size (unsorted)
>> ../../../../texk/web2c/omegafonts/check.test: line 14:  9396 Aborted
>>            (core dumped) ./omfonts -ofm2opl $srcdir/tests/check
>> tests/xcheck
>> + exit 1
>> FAIL check.test (exit status: 1)
>> 
>> *****
>> 
>> The gdb backtrace looks like this:
>> 
>> Program received signal SIGABRT, Aborted.
>> 0xf7fd2079 in __kernel_vsyscall ()
>> (gdb) bt
>> #0  0xf7fd2079 in __kernel_vsyscall ()
>> #1  0xf7e29b36 in __libc_signal_restore_set (set=0xffffcdcc) at
>> ../sysdeps/unix/sysv/linux/internal-signals.h:84
>> #2  __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:48
>> #3  0xf7e13374 in __GI_abort () at abort.c:79
>> #4  0xf7e6e37c in __libc_message (action=<optimized out>,
>> fmt=<optimized
>> out>) at ../sysdeps/posix/libc_fatal.c:181  
>> #5  0xf7e753bf in malloc_printerr (str=str at entry=0xf7f52850 "malloc():
>> invalid next size (unsorted)") at malloc.c:5354
>> #6  0xf7e7802b in _int_malloc (av=av at entry=0xf7f9f7a0 <main_arena>,
>> bytes=bytes at entry=4) at malloc.c:3727
>> #7  0xf7e797dd in __GI___libc_malloc (bytes=4) at malloc.c:3041
>> #8  0xf7fbd9e8 in xmalloc (size=4)
>> at ../../../texk/kpathsea/xmalloc.c:25 #9  0x56559e55 in
>> retrieve_exten_table (table=0x565d5f20 "")
>> at ../../../../texk/web2c/omegafonts/char_routines.c:837 #10
>> 0x56562ce7 in ofm_read_rest ()
>> at ../../../../texk/web2c/omegafonts/parse_ofm.c:371 #11 parse_ofm
>> (read_ovf=0) at ../../../../texk/web2c/omegafonts/parse_ofm.c:99
>> #12 0x565579e1 in main (argc=<optimized out>, argv=<optimized out>) at
>> ../../../../texk/web2c/omegafonts/omfonts.c:286
>> 
>> I thought it might be a malloc bug in the latest glibc, but the glibc
>> maintainers advised me to run valgrind. When I did that, it showed:
>> 
>> =20225== Memcheck, a memory error detector
>> ==20225== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et
>> al. ==20225== Using Valgrind-3.14.0.GIT and LibVEX; rerun with -h for
>> copyright info
>> ==20225== Command: .libs/omfonts -ofm2opl
>> ../../../../texk/web2c/omegafonts/tests/check tests/xcheck
>> ==20225==
>> ==20225== Invalid write of size 1
>> ==20225==    at 0x10CA60: adjust_labels (char_routines.c:695)
>> ==20225==    by 0x115CC1: ofm_read_rest (parse_ofm.c:368)
>> ==20225==    by 0x115CC1: parse_ofm (parse_ofm.c:99)
>> ==20225==    by 0x10A9E0: main (omfonts.c:286)
>> ==20225==  Address 0x4b13ecc is 0 bytes after a block of size 12
>> alloc'd ==20225==    at 0x4837717: calloc (vg_replace_malloc.c:752)
>> ==20225==    by 0x48555E4: xcalloc (xcalloc.c:25)
>> ==20225==    by 0x1137C9: retrieve_ligkern_table
>> (ligkern_routines.c:652) ==20225==    by 0x115CB5: ofm_read_rest
>> (parse_ofm.c:367) ==20225==    by 0x115CB5: parse_ofm (parse_ofm.c:99)
>> ==20225==    by 0x10A9E0: main (omfonts.c:286)
>> ==20225==
>> 
>> Turns out that the latest glibc code (as found in the latest revisions
>> of Fedora) is much better at catching malloc heap corruption. I
>> thought at first it was a glibc issue, but the Fedora glibc
>> maintainers helped me to confirm that it was not.
>> 
>> It looks like there is a one-byte heap overflow, maybe in the
>> FOR_ALL_CHARACTERS macro in char_routines.c?
>> 
>> I'm learning a lot as I go on this one, but I think I've gone as far
>> as I can. Any and all help in fixing this would be greatly
>> appreciated.
>> 
>> Thanks in advance,
>> 
>> ~tom
>> 
>

More information about the tex-live mailing list